Pos payment terminal and a method of direct debit  payment  transaction using a mobile communication device, such as a mobile phone

ABSTRACT

A payment terminal using a mobile communication device ( 4 ), such as a mobile phone, is located on a removable memory card ( 1 ), e.g. type microSD card, which is adjusted in such a way so it can be inserted into an additional hardware slot, e.g. memory slot. A payment POS terminal application runs on a removable memory card ( 1 ), which contains at least one payment card. The payment card&#39;s unit ( 7 ) with the card&#39;s payment application is located in the secured part of the memory, separately from the terminal&#39;s configuration data unit ( 6 ). The configuration data of the terminal&#39;s selected identity and the payment card&#39;s data are located in the separate parts of the secure element or in completely independent secure elements or they can also be localized in the Sales Device of the merchant and there e.g. within the ICC card ( 29 ) or SAM card ( 42 ).

FIELD OF INVENTION

The solution refers to a payment terminal located in a mobilecommunication device, such as a mobile phone. To realize paymentprocesses the terminal can communicate even through its owncommunication element, mainly of the NFC type. The invention presentedalso describes a method of direct debit payment using a contactlesstransmission link and describes a configuration, in which a temporarypayment terminal, with simplified structure that is intended above allfor small business premises, can be created using a mobile communicationdevice. The solution refers to increase in security and comfort inpaying over the mobile communication device with removable memory cardfor example in the form of a microSD card.

PRESENT TECHNOLOGY STATUS

The payment terminals, POS (Point of Sale) terminals that are locatedpermanently in commercial premises are known. The POS terminal works insuch a way, that the transfer of money from the purchaser's account tothe shop's operator's account is secured within an agreed system. Uptill now, the payment over POS terminal was characterized as a payment,in which the payment's recipient has a POS terminal and the payingcustomer uses a corresponding card, as a payment device. In the firstphase, a check, verification of the card holder is run—this processshould be highly secured and should be realized without unreasonableeffort on the side of both, the merchant and the paying customer.Subsequently, a process, in which the paid amount is automaticallycredited to the shop's operator's account, is run. Originally, cardsequipped only with a magnetic stripe were used for the run ofpayment-terminal application. However, with respect to the technicalrestrictions, the magnetic stripe with loaded data presented a securityrisk, since the magnetic stripe could be copied or changed with the useof simple technical devices. Reading of internal data from magneticstripe is low-tech.

Therefore, an agreement on creation of EMV standard using microchiplocated on the payment card was made between the card issuers EuropayInternational MasterCard and VISA in the second half of the nineties.EMV (Europay MasterCard Visa) standard describes interaction between thepayment card chip and POS terminal for the purpose of ensuring worldwideinteroperability. The usage of microchip enables to protect data locatedon it in such a way that it is not possible to access them from theoutside without a PIN. The usage of chip on the card also enables theCardholder Verification to be realized even without online connection tothe processor headquarters. While magnetic stripe represented passivedata carrier, the chip on the card is basically a small computer withits own computing capacity, with secured parts of the memory and with adata encryption unit. Despite the mentioned technical characteristics ofthe current POS terminals, it was discovered that in case of fraudulentadjustments and manipulations in the insides of the POS terminal or incase of inserting an intermediary link to the reading device, the datafrom the card and the PIN code can be disclosed. It usually happenswithout the knowledge of the owner of the shop with the POS terminal incase of insufficient control by the attending personnel or in case ofother fraudulent way.

However until now, there are not known such technical tools, that wouldenable to convert the mobile phone into that kind of payment terminal,which would be owned by the paying customer and which would have thesecurity required by the individual participants of the entire businessrelationship (payment card issuer, processing headquarters, bank,merchant).

The solution under the CN101351819 patent indicates the possibility ofusing a mobile phone as a POS terminal; however it does not deal withspecific organization of individual essential elements of the system.Many solutions, such as the ones under the patents CN101339685,CN101329801, US2008270246 (A1), SI22595 (A), US2008059375 describe themobile phone's involvement in direct debit payments, notwithstandingthere are no independent POS terminal elements directly in the phone.Or, as it is in the US20077241180 (A1) file, there are solutions inwhich a mobile phone and a static POS terminal interact.

There is a request for such a technical solution which will have thehigh security of EMV payment application and which will produce finalpayment cryptograms exactly in the form of EMV standards and all thateven in case of internet payments or other payments realized outside thenormal stores, e.g. in case of paying for download of programs that arestored at the mobile operators. These kinds of solutions are either notknown at the moment or they have security risks that reside in the factthere might come to disclosure or misuse of the communication duringdata transfer from the paying customer's payment card to the merchant'sPOS terminal or virtual POS terminal e.g. over internet or in case ofNFC or GPRS communication. In case the original close contact betweenthe POS terminal and the payment card in a normal store is lengthened tothe communication over internet environment, then the security risks areincreased.

The existing POS terminals are distinguished by stable structure, whichbesides other things includes a communication channel connected to thepayment processing centre, printer, encryption key, card reader, mainlyreader of different format cards and also a keyboard for PIN codeentering. This kind of technical configuration requires certain spaceand is relatively expensive. Realizations of known POS terminal areintended for stable sale locations in stone shops, where high costs ofpurchase, installation and operation of POS terminals are equilibratedby reasonable turnovers of payments for purchases.

The solution according to the published patent WO2008063990 describes asystem, in which the POS terminal does not have a communication channelwith the payment processing center and uses a mediated connection overcustomer's mobile phone for it. This solution has lower security sincethe payment terminal application itself runs on a remote computer andthe mobile phone is only a mediator of communication. Other publishedpatents describe divided POS terminal in such a way in which directly onthe payment location there is only its managing part that is connectedto the remaining part located in some other part of the shop. Theexisting solutions and published patents do not offer simple instructionof how to create a cheap, non-complicated and eventually also portablePOS payment terminal, which would create payment cryptograms accordingto current standards, above all the EMV standards.

All solutions currently existing require relatively complicatedinstallation and encompass many input and output devices, which increasetheir price. Till now, there are known no such devices that would becharacterized by both simplicity, high security and that would beportable and usable even in small shops such as in newspaper kiosks orin mobile counters selling fast food.

In time when the usage of the mobile communication devices, such asmobile phones for cashless payment applications is increasing, therequest for increase in comfort and security of payment processes willrise. Mobile communication devices have the possibility of intentionalbut also unobserved connection with the mobile data network by which therisk of penetration of harmful programs into the mobile communicationdevice's environment.

According to the patent file published as WO 2010/011670 A2 a purposePay-button is known. The NFC communication element necessary for the runof contactless payment application is started by it. This buttonsimplifies launch of payment application, however its connection to NFCcommunication element does not offer increased security when compared toolder solutions, when the payment application is started by a virtualbutton in the menu displayed on the mobile communication device'sdisplay. The analysis of possible attacks on the payment card storedwithin the mobile communication device pointed out a risk, whenunsuitable program, e.g. in the form of troyan horse initializes thepayment application without the user's knowledge. Since the payment cardin the mobile communication device is inserted all the time into thepayment card reader, this location itself encompasses even thepossibility of constant trials to read data from the card. For thisreason there is a danger that in the future it will come to the failureof the payment card's security level, e.g. even the EMV standard whichwas considered to be improbable up till now since the payment card wasinserted for long term and practically without interruption in thereader, e.g. in the POS terminal, or in the ATM. For this reason such asolution is required, which will not only increase the comfort but alsothe security of the payment card. The existing purpose buttons as e.g.the photo button in the mobile phone had only the purpose ofaccelerating and simplifying the access to selected function of thephone and it was not necessary to solve the security question ofconscious launch of the selected function.

The new, more secure solution should be comfortable enough so it wouldnot lower the comfort of the attendant, which is an importantpresumption of the extension of the cashless payments over a mobilephone.

BACKGROUND TO INVENTION

The deficiencies mentioned are to a great extent eliminated by a paymentterminal using a mobile communication device, such as a mobile phone, inwhich the payment terminal contains a memory, an interface, andmicrocontroller. The microcontroller is linked to the memory and throughan interface also to the mobile communication device's circuit. Thepayment terminal has one unit with a payment POS terminal applicationand also a payment terminal's configuration data unit, which is storedin the secured part of the memory. The quintessence of the invention isin the fact that the payment terminal, along with the relevantconfiguration data, can be stored on a removable memory card, which isadjusted in such a way, so it could be inserted into the mobilecommunication device's slot for additional hardware, which is used toadd functionalities that are surpassing the basic functions of themobile communication device.

The quintessence of the solution is the configuration in which theentire process kernel of the POS terminal can be located on a removablememory card which is inserted into the mobile communication device whilethe most probable usage resides in its insertion into the common memoryslot of the mobile phone. The run of all internal payment POS terminalapplications can be realized on the removable memory card inserted intothe mobile communication device. The exception can be found in thecommunication processes with the payment processors headquarters, inwhich communication channels (SMS—short message service, GPRS generalpacket radio service) of the mobile communication device itself can beused. The mobile communication device's displaying tools can be used todisplay the run of the payment application.

The transfer of the POS terminal's processing kernel only into thesupplementary memory card in the mobile phone brings along surprisingtechnical advantages, but it would also cause complications with loadingof data from the payment card, since mobile phones do not have chip cardreaders. The important characteristic of the solution presented is theneven the fact that on the same hardware equipment, i.e. on the removablememory card, there can be placed a payment card or even several paymentcards of the user. Technically it can be ensured in such a way that theremovable memory card can contain, besides the secure part of the memorywith the data for the payment terminal, also a separate secured part ofthe memory with the payment card data.

During the run of the payment application, the removable memory card isinserted into the mobile communication device's slot for additionalhardware, which is used to add functionalities that are surpassing thebasic functions of the mobile communication device. The slot will bemainly, however not exclusively, the commonly used slot that isaccessible from the outside of the mobile communication device, such asa mobile phone. The relevant slot is designed for such technicalequipment, without which the mobile communication device can meet itsessential function. The slot in question therefore does not influencetransmission of data and/or voice in the operator's network directly;the fact in which it is different from the interface for the SIM(subscriber identity module) card. The memory card, which is animportant element of this invention, does not have the functionality ofthe SIM card. The removable memory card, described in the solution inquestion, is not dependant on the mobile phone's SIM card and can beremoved or inserted into the mobile phone without interrupting any ofthe regular functions of the phone.

In case the communication between the payment card and the POS terminalis narrowed to data transmission within one hardware device, which isinserted into the mobile phone during the run of the application, thenit is not possible to monitor and misuse this communication by commonmeans. After the payment is realized, encrypted information about therealized payment, is sent from the removable memory card. Thisinformation is distinguished by sufficient security in the form of EMVstandard. In common configuration the mobile communication device can bea mobile phone, which will ensure outside functions as the communicationwith the payment processing headquarters for the run of the paymentapplication on the removable memory card. The mobile phone will alsoensure powering of the removable memory card.

The removable memory card can encompass even a payment card unit with apayment application, mainly of the EMV type. This kind of payment cardunit will encompass hardware and software tools for the assurance ofsimilar functions as the chip has according to the EMV standard. Theinterfaces of this unit can be different since it is not designed to beread in normal type of readers, but it will be firmly, undetachablyconnected with the removable memory card carrier.

Placing the POS payment terminal and payment card into one, moreoverindivisible hardware equipment, made no sense until now, since theterminals were physically placed at the merchant's while they wereusually owned by the bank, payment processor etc. Through the solutionpresented, it can be achieved for the user to leasehold the paymentterminal and that being the case, it is possible to place the paymentterminal and the payment card into one hardware equipment. From theconfiguration identity point of view, the terminal will remain in thepossession of a specific bank or processing institution as it was normaluntil now with the terminals that were placed at the merchant's. Sincethe communication between the payment card and POS terminal is going torun through the controller, the microcontroller in the removable memorycard's hardware and given the miniature size of the payment device, thenin essence, it will be technically unfeasible to read this communicationillegally from the outside.

Delicate data of the POS payment terminal, just like the encryption keysand identification data, must be stored in the secured part of thememory, preferably in the so-called Secure Element. The Secure Elementis characterized by specified hardware characteristics and is subject tocorresponding certification thanks to which the participating membersare willing to trust its delicate data into such a memory device. ThesePOS payment terminal's data must be strictly separated from the accessto the payment card data and vice versa. For this reason, at least twoindependent, separate secure memory domains can be on the removablememory card. These can be e.g. in the form of separate partitions of onesecure element.

From the point of view of optimizing the processes in the paymentterminal application, it is advantageous, but not necessary, if theremovable memory card has two independent hardware Secure Elements.These can be in the form of two uniform chips, which can be placedindependently on the printed circuit of the removable memory card. Thenthe first Secure Element can be intended for storage of POS terminaldata or storage of different POS terminals' data respectively. Thesecond Secure Element will be intended for the storage of either thepayment card's data or data of various payment cards. So the solutionpresented enables to place POS terminals of several operators and alsoseveral payment cards of one user (so payment cards of various banksissued on the name of one person) to one hardware device. Since from theaccess point of view these configuration and payment data, belonging todifferent companies, must be located separately, the Secure Elementswill be divided into several independent domains, partitions. In casetwo secure elements are used, then their mutual communication and therun of two applications will be enabled even in the case, when theSecure Element will not have multitasking. The usage of two, or severalSecure Elements, increases the total memory capacity available in such away that the payment POS terminal application can run directly on theSecure Elements. In configuration with one Secure Element it will bemore suitable to use another, mostly cheap and unsecured memory to whichthe payment POS terminal application will be loaded and on which it willrun during payment process.

Besides containing the common memory itself, the memory card can hold asecure element in the form of a chip with secure memory, in which a unitwith the terminal's configuration data is stored. This unit is used forsecure storage of data the terminal needs to assign its own identity. Inprinciple these are mostly data determining to whom the terminal withthe relevant data belongs.

The secure element is connected with the microcontroller. The termmicrocontroller can mean even controller or just some narrowed hardwarein the form of a controller. The microcontroller can be located also insuch a way, in which its functions are divided, e.g. the controller partis divided from the computing part in another chip. In order to be ableto run the payment POS terminal application, the microcontroller can bealso connected to the memory card's memory, in which the unit withpayment POS terminal application is stored. This application can beparticularly in the form of an EMV application. The microcontrollerreads the payment POS terminal application from the respective unit bywhich it becomes a so called Generic POS Terminal. It is a general POSpayment terminal, though at this moment still indifferent. In order forthe POS payment terminal to become associated with some specific bank,specific institution, it has to download the terminal configuration datafrom the selected unit in the smart card chip.

This configuration enables to insert a configured and adapted memorycard that can realize payment POS terminal operations, into a commonmobile phone, which has a slot for memory extensions.

The payment card unit will be located in a secured part of the memory,separately from the unit with terminal configuration data, preferably onindependent domains of the secure element in a specialized chip. As forthe suitable structure of the memory card and with respect to highpenetration of the mobile communication devices with the SD slot it issuitable for the card to be of SD type, or miniSD, or microSD card orperhaps even M2 (Memory Stick Micro). Then the memory card's interfacetowards the mobile communication device's circuit will be of the SD orM2 type of interface. The microcontroller can be connected to the card'sinterface as stated by the specification defined by the SD cardassociation (Technical Committee SD Card Association).

In order to reach sufficient data permeability, it can be suitable, ifthe payment card had at least a two-conductor, or better afour-conductor data bus. It is preferable for the card to have thelargest parameter smaller than 24 mm and the second largest parametersmaller than 14 mm.

The microcontroller can be equipped with undeletable internal memory,preferably of EEPROM type. In order to achieve a sufficient level ofsecurity, the microcontroller can also contain a boot-loader unit forcontrol of unauthorized interventions in the loaded POS paymentapplication. The boot-loader can be located in the read-only part of themicrocontroller processor memory and it runs after each reset of theterminal. The boot-loader function is there to control whether theoperating system or application programs were not changed by anyunauthorized intervention. After each reset, the boot-loader calculatesthe Hash value (digital signature) from the contents of the program'sexternal flash memory, where the operating system and the applicationsare stored. Then it compares the result with the value stored in theEEPROM internal memory. If the data are equal then the boot-loaderleaves the management to the operating system. If not, than theboot-loader decrements the counter of unsuccessful attempts and thenstops. In case the counter reaches 0, it is not possible anymore tostart-up the microcontroller. In the memory, there can be an operatingsystem stored (as a beginning and an end of the addressed area), whilethe Hash value of the memory's capacity (digital signature) is storedinto the microcontroller during the first operating system andapplication save. Later on, it is not possible to change this dataanymore.

In common version, the microcontroller can have the 32-bitmicroprocessor structure.

The utility of the terminal can be increased significantly by such aconfiguration in which the payment terminal can have its owncommunication channel i.e. it is in principle independent of the mobiledevice's communication paths. This configuration version will becharacterized by the memory card containing a contactless communicationelement that is connected to secure elements and/or a microcontroller.It is preferable if there is an antenna located directly on the memorycard and if the antenna is connected to contactless communicationelement. In this way the functional independence of the terminal will beachieved. The contactless communication element can be equipped with adetection of surrounding electromagnetic field due to which its circuitswill be activated only at the time of required connection which willcause the terminal's energetic demand to lower. The terminal can bepowered by the electromagnetic field and by the mobile phone's powersupply through the relevant memory card's interface. The contactlesscommunication device can be linked to all the units on the secureelement, with exception of the encryption unit, which will be accessibleonly through microcontroller to lower the risk of unauthorized breach ofthe code. With respect to existing distribution of communication typesit is preferable for the communication element to be of the NFC typeaccording to ISO 14443 Standard.

The payment terminal can have more individual units with configurationdata from different independent terminals in the secure element. Thesewill be stored in separate domains of the secure element. This technicalsolution will enable the payment terminal to activate into a terminalbelonging to different payment processors'. This ability will depend onthe user's choice or on other commands. In this way one memory card cansubsume and run sequence functions of several independent paymentterminals. This configuration will be advantageous especially when themobility of the payment terminal described and its independency of aparticular merchant is considered or when it will be preferable to havethe possibility of choosing and the payment terminal's identity andownership.

The payment terminal can also contain several payment cards by havingseveral independent units holding independent payment cards with theirrespective payment applications in the secure element. So the paymentterminal can be not only a multipayment terminal but also a multiplecard. With the increasing number of cards owned by one user, thissolution will create space for comfortable and safe union of thesepayment means into one memory card that is inserted into a mobile phone.

The memory card's memory, preferably in the form of a flash memory, canhave at least one part of its space protected. That being the case, apayment POS terminal application unit can be stored into this memory.This unit could be located even directly in the microprocessor or in thesecure elements, but in some circuit board architectures this kind ofsolution could not be flexible sufficiently when the required size ofthe memory area is considered. Moreover, it will be required for thepayment POS terminal application to be gradually updated, the activitythat could be carried out by the download management unit that is storedin the memory. The memory card can be equipped with the memorycontroller processes unit used for data flow management. If there is anyneed for communication between a memory card and a mobile phone throughweb interface, a web server unit can be included into the memory card.

According to the description presented, the terminal's utility will beincreased by extending it for functions of non-financial character.Existing elements of the memory card, independent secure element domain,contactless communication element and also encryption unit can be usedto control external devices e.g. remote control, electronic key to thegate etc. In that case, a non-financial application unit that isinitialized over the microcontroller can be in the secure element or inthe governing smart card chip.

In configuration according to this solution the memory card with thepayment terminal function can fulfill further even the function ofextended memory of the mobile communication device. In unprotected partthe memory can have area for freely accessible data of the user as arepictures, music files and similar. This part is directly visible whenviewing the mobile communication device. In the memory for data that arehidden from the user there can be system data as records of the paymenttransaction results and similar.

The system can be supplemented for the payment POS terminal applicationinitiator for the purposes of paying in the standard shop; the initiatorcan be in the form of a simple hardware element or it can be a part ofthe cash register. The initiator can have payment value generation unit.The merchant enters the amount of required payment over the initiator.This amount can be also generated as the final purchase amount outputfrom the cash register. The initiator is attached to or is equippeddownright with the communication element, which is compatible with thecommunication element on the removable memory card or with the shortdistance communication element of the mobile communication device.

According to this invention, the direct debit way of payment using amobile communication device is based on the fact, that the payment POSterminal application can run on the removable memory card that isinserted into the mobile phone's slot for additional hardware and thepayment card application also runs on the same hardware device. The runof the payment POS terminal application that was known up till now wascharacterized by the fact, that the payment card was connected to thePOS terminal temporarily, during the realization of the payment.According to the solution presented, the payment card is firmlyconnected to the payment terminal and therefore the communicationbetween the POS terminal and the payment card can run directly over thepayment card's circuits. Various new payment application procedurespossibilities surge from this technical solution and in principle thepayment POS terminal application's result can be in the format usedtoday—the EMV payment cryptogram.

In one of the possible procedure versions, the payment POS terminalapplication is loaded into the microcontroller in the memory card andsubsequently the configuration data of the selected terminal's identityare loaded from the corresponding secure element. The important featureis also the possibility of loading the payment card data from secureelement into the microcontroller, which operates as payment terminal, sothe data are loaded from the same kind of hardware equipment used by thepayment POS terminal application uses for its run. In case the securityelement has sufficient computing capacity, the payment POS terminalapplication can run directly in the secure element. This will happene.g. in case two secure elements are used, one for payment terminal,another for payment cards. Even in this configuration the payment POSterminal application can be created as an indifferent, common one forall payment terminal's identities; and the identification data from thecorresponding, independent domain of the secure element are loaded inthe payment POS terminal application only after the payment terminal isselected. The version using independent payment POS terminal applicationwith already inserted configuration data is also not eliminated.

To increase the level of security, it is preferable the boot-loader runsthe changes control in the payment POS terminal application beforerunning the payment POS terminal application itself. The payment POSterminal application will be managed through an input device of themobile communication device, mainly keyboard.

It is possible to create even “light POS” of a structure simplifyingrequirements on the merchant's technical equipment on the same technicalbasis as in the case when payment cards, or at least one payment card islocated on a removable memory card and when a payment terminalapplication runs on the same removable memory card. The subject matterof this version of configuration is in the fact that the POS paymentterminal is created on the removable memory card during temporaryconnection of Sales Device with removable memory card. The Sales Devicebelongs to the merchant or it is held by him and contains secured unitwith identification data, which above all encompass data necessary formatching the POS payment terminal to the corresponding merchant's bankaccount. Basically the sales device is formed by hardware, which ensurescorrect identity of the temporarily created POS payment terminal.

Important characteristic of this usage of common basic technical idealies in the fact that the POS terminal with beforehand definedstructures is created from temporary connection of two parts. Theconnection is labeled as temporary, since after the payment process isended, the parts disconnect, the communication channel is interruptedand another new connection between Sales Device and another removablememory card can be created. Naturally, repeated connection withbeforehand cooperating removable memory card and Sales Device is alsonot excluded. The temporality of the connection is understood as a timephase in reality limited by one payment process, while it can besupposed even some time of connection before beginning and after the endof payment process. The possibility to pair always new pair of elementson the side of the merchant and the paying customer is a solution, inwhich it is always possible to create POS terminal in the mobilecommunication device of a paying customer, with the POS terminal havingthe identity of the corresponding merchant.

The Sales Device collocation of words is not a commonly used term in thefield of POS payment terminals and under this collocation it isnecessary to imagine any type of hardware element equipped withcorresponding software for the realization of functions according tothis description. The Sales Device behaves as a POS payment terminalfrom the outside and the merchants will usually call it that way inpractice, however from the structure and run of the application point ofview, the Sales Device is only an important but not sufficient part ofthe entire POS payment terminal. Therefore, it is necessary tounderstand the term Sales Device in general meaning as a part of theterminal, which is basically connected to the merchant, or to thepurchase location and ensures the correct routing of debit payments.

In the entire POS payment terminal the Sales Device can have two basicfunctions—to carry the identity of the POS terminal and to enter thevalue of payment. In principle, even a narrower hardware version ispossible, in which the payment's value is entered over the keyboard ofthe mobile communication device. However this kind of version isuncomfortable for the merchant since he would have to control thecustomer's mobile communication device or he would have to trust thecustomer to enter the correct payment amount into the payment terminalapplication. The inserted value could be displayed also on the SalesDevice display so the merchant could check it, however it would be muchmore comfortable if the paid amount was entered through the elements onthe merchant's side. The version described in this section with enteringthe payment value over the mobile communication's device's keyboardwould not have to fulfill some standards (e.g. EMV) on the merchant'sbehavior and operations during debit payment realization, however it isin principle realizable using the principle of the solution presented.

Sales Device is not able to perform payment terminal applicationindependently and it does not have to have communication channels forthe creation of the connection with the processing centre. The hardwareset is capable of fulfilling all basic functions of a common POS paymentterminal only by connection of Sales Device of the merchant with theremovable memory card, inserted into the customer's mobile communicationdevice. The temporary connection can be basically created for therealization of each individual payment, while it can always be adifferent communication device on the side of different customers.Exactly the mobile communication device is capable to create thenecessary connection with the payment centre thanks to the existingGSM/GPRS (Global System for Mobile Communications/General packet radioservice). However, this connection does not have to be created duringeach payment since the solution according to our description is capableof processing off-line and on-line payments.

The removable memory card structure for the connection with Sales Deviceis similar to the variants mentioned beforehand. It also containshardware and software elements in order for the set made of Sales Deviceand mobile communication device to be capable to run and execute paymentterminal application, which in the process view forms the kernel of thedebit payment operation, directly on the removable memory card. Sincethe set made of Sales Device and the mobile communication device doesnot have to be equipped with the external payment card's reader, it willbe suitable if even secured memory with the payment card unit will bedirectly on the removable memory card. Also a unit for the run ofpayment—terminal application and the communication element for theconnection with Sales Device will be on the removable memory card.Besides the secured memory with identification data of the POS paymentterminal, the Sales Device also contains a communication element for theconnection with the removable memory card. Thanks to these elements thePOS payment terminal is created with the help of a common mobile phonewith the slot for the card which extends memory. So the removable memorycard can encompass generic payment terminal which will become a specificpayment terminal with unique identity only after it connects with SalesDevice. The Sales Device will give a clear identification, for thebenefit of whom should the payment be made, to this temporaryconnection. Since there is interest in this function even in the mobilephones without NFC (Near Field Communication) communication element,such NFC communication element can be included directly on the removablememory card. In principle, the connection between the mobilecommunication device and Sales Device can be in the form of contactinterface, however that would require a complicated unification of theconnectors and problems with compatibility. Therefore it will besuitable, if not only solution, for the connection between the SalesDevice and removable memory card to be in the form of NFC communicationchannel, which is widely standardized.

Thanks to the described configuration it will be possible for themerchant to have only a very simple Sales Device, which will carry theinformation on identity, terminal's number and to that one an accountnumber of the corresponding merchant can be assigned in the paymentprocessor centre. This kind of Sales Device will be very small andsimple. It can be in the form of a small box with a display and keyboardthrough which the merchant will enter the required payment amount. Theidentification data can be stored directly in the corresponding elementon the printed circuit of Sales Device, or they can be stored on the ICC(integrated circuit card) card or on other carriers as e.g. up until nowknown SAM (Security Authentication Module) cards with cryptographic key.In this version a SAM card of the size of a common SIM card (SubscriberIdentity Module) that is available after taking off the cover of theSales Device. SAM card is inserted into Sales Device before the firstactivation.

The customer will tap his mobile communication device to the SalesDevice. By tapping it a NFC communication channel will be created andinformation on the identity of this temporarily created POS paymentterminal will be sent from the Sales Device into the removable memorycard. Then the identification data can be encrypted by a Master Key thatis stored within the Secure Element in the Sales Device. The input datafrom the Sales Device will become the basis for the run of thepayment-terminal application after they are read on the removable memorycard. The payment-terminal application can be loaded in indifferentform, without its own identity on the removable memory card. Basically,after the creation of the temporary connection between the Sales Deviceand the removable memory card, the general, generic, indifferentterminal will transform into a particular POS terminal, which isassigned to a corresponding merchant into the system. This phase formssome kind of preparation on the start of the new one-time POS terminal.Subsequently, a payment terminal application e.g. of the EMV type canrun during the connection in a similar way as in standard POS terminalsas it is up till now.

The encryption of the POS terminal's identification data is done with aMaster Key, which in general can be and mostly even will be differentfrom the encryption keys, which are used later on by the paymentterminal application for the creation of the payment cryptogram. TheMaster Key can be e.g. from the supplier of the Sales Device hardwareand encryption keys of the payment-terminal application can be issued bya bank or a payment processor. The difference of the encryption keys inpractice will be conditional on different requests of individualentities operating in the payment clearing system.

From the increase of security point of view even the entry about thepayment amount can be encrypted during the transfer from the SalesDevice to the mobile communication device. By this the risk that thepaying user could lower the payment value even before the paymentterminal application kernel is run is lowered. This kind of change wouldshow itself on the final confirmation of the payment on the side of themerchant in the form of displaying the paid amount, however in case ofinobservance and routine approach the merchant would not have to noticethe change in the amount.

The configuration in which the communication with the unit of theselected payment card is done directly on the removable memory cardduring the run of the payment terminal application is suitable. Severalunits of independent payment cards can be stored on the removable memorycard and that either on the physical separate secure elements or onindependent domains of one secure element. In this configuration thepayment terminal application can run directly on the removable memorycard and the data on the customer's payment card are not sent overexternal readers and neither into internet area, a fact that haspositive impact on the security of the payment operation.

The Sales Device can be in different forms; besides a small box with thekeyboard, which contains the Secure Element with identification datadirectly, it can be created even in such a way that within it is acreated reader of external cards preferably of classical standard ICC(integrated circuit card) card format. Then the sensitive data can beloaded into the chip of this kind of card. The card's chip also containsa certain memory capacity which can be used suitably for the entry ofdata on realized payment transactions. After the day is over, themerchant can leave the basic part of the Sales Device in the shop, e.g.in the newspaper stand and take only the ICC card with him. In case hetakes ICC card from the Sales Device, he can take it for processing intothe bank or he can back up the data from it in his home computer byusing a reader. In case the merchant has several mobile stands, therecan be several Sales Devices combined with one ICC card withidentification data of one terminal and one banking account and on theother hand one Sales Device can be used successively with several ICCcards belonging to different merchants within multiple shift businesspremises of one store.

It is suitable, if not necessary, if Sales Device has its own interface,e.g. of the USB format for the connection with extending accessories,which enables for the payment data to be printed directly from SalesDevice, or respectively over this connector it is possible to connectthe payment card reader, GPRS modem and similar.

After implementation of the systems here described into practice it canbe supposed that the mobile communication device can become attacktarget with the goal of stealing the data of payment card, which isconstantly prepared for the cooperation with the mobile communicationdevice's circuits. At this moment it is not possible to indicate inwhich direction the strategy of these pertinent hackers will go, sincethe presented solution is new and was not widespread till now. Howeverit can be supposed, that there will be tendencies to misuse the constantpromptness, readiness and connectivity of the payment card, orrespectively the payment terminal on the removable memory card. In idealconfiguration it will be possible to lower this risk in case theremovable card had two independent access modes. One access mode isdesigned and set for the common function of the removable memory cardwhich rests in the extension of the memory capacity of the mobilecommunication device, such as a mobile phone. This access mode preventsaccess to the unit with the payment card and to the contactlesscommunication element on the removable memory card. Basically in thisaccess mode on the removable memory card's interface this card appearsto be a common removable card without the secure element and without thecommunication element on the removable memory card.

The second access mode is designed and set for the payment function ofthe removable memory card, where the access to the unit with the paymentcard and also to the contactless communication element on the removablememory card is allowed from the mobile communication device's circuitsover an interface. In case there is even the unit with the paymentterminal located on the removable memory card, then this unit is alsoaccessible just and only in the access mode for the payment function.

The two modes are alternatively selectable, it is important, that theaccess mode for the payment function of the removable memory card can beactive only after physical press of the hardware payment button.

The removable memory card, on which at least one payment card unit islocated, appears to be a removable memory card for the extension of thememory capacity of the mobile communication device on the interface andthat up until the moment when the purpose payment button is physicallypushed. Then the removable memory card is made accessible on theinterface as a card with Secure Element and at least one payment cardunit.

The removable memory card according to this version of suitable solutionhas an architecture which encompasses a commonly accessible flash memoryand also has hardware and software elements of the payment card, or evenof the payment terminal. During common usage of the mobile communicationdevice, the removable memory card behaves as if it contained only aflash memory for the extension of the memory capacity with acorresponding microcontroller. In this state the reading and writing offiles is enabled in the memory of the removable memory card, howeverother elements, e.g. the Secure Element, the NFC communication elementare hidden and cannot be managed or run in this mode.

The existence of the purpose hardware payment button enables the changeof the removable payment card's character on its interface level to betied exclusively to the physical press of the payment button. Thenecessity of physical press of the button excludes the possibility torun the payment application by some undesirable software or scriptimitating the will of the user.

By this configuration we will exclude the risk that the removable memorycard's interface will be misused for the trials to overcome the securityelements without the user's knowledge. The connection between thephysical press of the button and run of the corresponding Firmware canbe stored in the memory in such a way that it is either never possibleto rewrite it, change it or update it or it is not possible to do itwithout the corresponding password. The unauthorized program then cannotemulate the signal from the physical payment button in such a way sothis signal could appear as a real physical press of the button to theother steps of the application's run. Since the intruder will not havethe possibility to physically press the button described on the remotemobile communication device, it is excluded that he could gainuncontrollable access to the payment card's unit or to the unit of thepayment terminal on the removable memory card. The removable memory cardwill behave as a standard memory card and only after physical press ofthe payment button will switch into the payment card mode. The end ofpayment application will automatically switch the card's mode into thecommon card extending the memory capacity mode.

The offset of the previously described run of the payment process in themobile communication device is based on the same principle of two accessmodes. This procedure variant is based on the fact that the removablememory card is in the access mode for the common function extendingmemory capacity before the run of the payment process. Then the unitwith the payment card, and pertinently even the contactlesscommunication element and the unit with the payment terminal, in casethey are located on the removable memory card, are inaccessible from theside of its interface. Only exclusively after the physical press of thehardware payment button, the removable memory card switches into accessmode for the payment function of the removable memory card with allowedaccess to the unit with the payment card.

DESCRIPTION OF DRAWINGS

The solution is explained in detail on the FIGS. 1 to 14.

On the FIG. 1, there is a block scheme of the memory card's individualelements with displayed connection between individual elements on thememory card with one divided secure element, on which there areprotected data from payment POS terminal also from several paymentcards.

The FIG. 2 presents a solution in which there is a mobile phone with amemory card during payment in the internet shop or during payment fordownloaded files from the mobile network.

On the FIG. 3 there is removable memory card of the microSD type withtwo independent Secure Elements and with the communication element thatis located directly on the memory card just like antenna is. This figurecan also depict the configuration with the unit of indifferent POSpayment terminal and with four independent payment cards' units fromvarious banks.

On the FIG. 4 there is a pre-paid removable memory card with asimplified architecture in the option with two secure elements.

On the FIG. 5 there is succession of tasks within payment applicationrunning on the removable memory card while paying for the file offeredin the mobile network.

On the FIG. 6 there is a solution with the payment initiator, where theinitiator is located practically permanently next to the cash registerin the physical shop.

On the FIG. 7 there is schematic demonstration of the outsideperspective on the mobile communication device in the form of a commonmobile phone, which is placed near the Sales Device. Measurements, shapenor proportion ratio of the mobile communication device to Sales Deviceare not obligatory and are chosen only with the view of better clarityof the scheme. In the figure, the mobile phone and the Sales Device donot overlay for the purpose of increasing the clearness of the figure,however in reality the mobile phone can be placed directly to thesurface of the Sales Device.

On the FIG. 8 there is a perspective on the basic structure of the SalesDevice, where it is also visible that the communication element on theside of the mobile phone is located in the removable memory card. Thememory with the identification data of the POS terminal is located inthe removable memory card. The memory with the identification data ofthe POS terminal is located in the SAM card. On the FIG. 8 there is alsothe NFC communication channel between the removable memory card andSales Device.

On the FIG. 9 there is a scheme of the Sales Device structure in theconfiguration where the ICC card of the merchant is inserted into thebody of the reader.

On the FIG. 10 there is a configuration with the connection to cashregister. The Sales Device encompasses the ICC card's reader and it alsohas a mini USB connector.

On the FIG. 11 there is a schematically displayed diagram showing thesuccessiveness of the payment application's run with the press of thehardware payment button, where it is possible to see the localization ofthe individual tasks and processes during the launch of the applicationon the level phone hardware/phone firmware/removable memory card.

On the FIG. 12 we can see the structure, with which the removable memorycard is presented on the outside in case of common extension of themobile phone's memory access mode.

On the FIG. 13 there is the structure, with which the removable memorycard is presented on the outside in case of payment card access mode. Inthis configuration there is even the unit with the payment terminallocated on the removable memory card.

On the FIG. 14 there is an example of mobile phone with the paymentbutton.

EXAMPLES OF APPLICATION Example 1

In this example there is description of the solution with twoindependent Secure Elements 31, 32 according to the FIG. 3. The usage ofseparate hardware Secure Elements 31, 32 simplifies certificationrequirements, which are set by individual participants of the paymentsystem (the card's issuer, clearing center operator) on the storage oftheir sensitive data on the Secure Elements 3, 31, 32. In this exampleeach of the Secure Elements 31, 32 is also divided into independentdomains, which can be offered to different card issuers and to differentowners of the POS terminal's configuration data. The Secure Elements 31,32 are in the form of independent chips on the circuit board, where theyare connected with the controller, which fulfills the role of themicrocontroller 12. Their interface towards the controller 12 is the ISO7816. The removable memory card 1 is in the form of the microSD card.ASIC (application-specific integrated circuit) chip, which is set toexecute the NFC platform communication processes and by doing that it isfulfilling the function of the communication element 13, is connectedwith the microcontroller 12. The antenna 21, which is located directlyon the removable memory card's body 1, is designed in accordance withdifferent patent filings of the patentee and is connected to the ASICchip in such a way that it enables NFC communication, which isindependent of other hardware of the mobile phone 4. The removablememory card 1 contains also a common flash memory 2, e.g. with thecapacity of 2 GB. The user cannot access one part 20 of the memory 2from the mobile phone's interface 4; this part of the memory is used forthe archiving of realized payments records. The rest of the memory 2 isused for common storage of music, pictures and similar, thanks to whichthe entire memory card 1 appears to be a common memory media to theuser. By placing the POS terminal and the payment card onto a removablememory card 1 the initial function of the mobile phone's 4 slot designedto extend memory capacity, did not disappear.

The payment can run in two different varieties. E.g. as shown in theFIG. 6, the user of the mobile phone 4 decides he wants to buy a map inthe electronic form in an internet shop. In this case the operator ofthe internet shop can be the mobile phone 4 producer. The microSD memorycard 1 produced in accordance with the technical solution described, isinserted into the lateral slot that is accessible from the outside ofthe mobile phone 4. On the secure element 31 there are stored the POSterminal configuration data 6 belonging to several people, among themeven the internet shop's operator. After selection of the item beingpurchased, a request for payment of corresponding amount is sent fromthe internet shop into the mobile phone 4. The user presses the paymentbutton, with which the phone is equipped. In another payment example,the payment selection can be initialized by the software buttondisplayed on the mobile phone's 4 display. The request for the launch ofthe payment POS application is sent to the interface 11. The payment POSterminal application runs on the memory card 1 in the same way as itdoes in case of a relationship between a standard POS payment terminaland the payment card, which is inserted in the POS terminal's reader.The mobile phone's 4 display is used to manage the run of the payment.The user selects the payment card from which he wants to pay therequired amount. After activating the application in the correspondingunit 7 of the selected payment card, the run of the payment can be alsomanaged by the preset rules of the risk management of the correspondingcard's issuer. Depending on this, it will be or it will be not necessaryto enter the payment's card password.

After ending the payment POS terminal application, the connectionbetween the POS payment terminal and the payment card is disconnected bythe software and the resulting payment cryptogram is sent over GPRSchannel to be processed in the internet store. After the internet storereceives and decrypts the payment file, the payment is evaluated and incase of an affirmative result the item that was paid for, in thisexample the map, is sent to the mobile phone 4.

Example 2

Payment terminal on the removable payment card 1 platform of the microSDtype that is comparable in shape and parameters to a standard microSDcard is described in this example. The payment card 1, as in FIG. 1, hasa microcontroller 12 in the form of 32-bit microprocessor that operateson multi-task operating system 8—in this example it is Linux. A flashmemory 2, secure element 3, and SD interface 11 is connected to themicrocontroller 12. Microprocessor 12 contains an internal EEPROM memory10 and boot-loader unit 9 that controls non-authorized interventions inthe loaded payment POS terminal application.

The flash memory 2 is divided into secured and unprotected part. In theunprotected part there is a space 15 for the freely accessible andvisible data of the user and a space 20 for hidden system files,especially the records of the payment transactions that are processed bythe payment terminal. In the secured part of the memory card there is aunit 8 holding operating system, in this example it is Linux, and aboveall the payment POS terminal application unit 5 where a payment POSterminal application is saved, in this case it is an application of EMVtype. In this example, in the secured part of the memory 2 there is alsodownload management unit 19 that is used for storing and software updatemanagement on the memory card 1. In case it is necessary to load/upgradeapplications in the smart card chip 3, then the binary data of theapplication are loaded into the unprotected part of the flash memory 2,e.g. to the system data unit in the space 20 where data that are hiddento the user are stored. The download management unit 19 checksperiodically, weather there is not any new file in the system data unitthat should be loaded into the secure element 3. If yes, then arespective installation is run.

In the secured part of the memory 2 there is also the SCWS web serverunit that is used to manage applications, except the EMV paymentapplication, that are stored in the secure element 3. In themicrocontroller 12 there is a memory space, where the operating systemis stored (as a beginning and an end of the addressed area). The Hashvalue of the memory's capacity (digital signature) is stored into themicrocontroller 12 during the first operating system and applicationsave. Later on, it is not possible to change this data anymore, whichensures protection against prohibited software changes.

Several individual domains are created in the secure element of thesmart card chip 3. In this document there are three of them used to holdthree independent terminals' configuration data units 6 that belong tothree different payment processors. Two parts of the secure elementcontain two independent payment cards 7 with respective paymentapplications of the EMV type. The example given here, thereforedescribes a solution, which enables the user to pay by two differentpayment cards at three terminals while each of them belongs to adifferent payment processor. For example one of these payment processorscan be a mobile phone network operator who connects histelecommunication services to the direct debit payment transactionprocessing services. On the secure element, there is also RSA encryptionunit 14.

The memory card 1 also has its own NFC contactless communication element13 with the antenna 21 placed on, respectively within the memory card 1.This configuration enables creation of NFC communication connectionbetween a common phone without the NFC chip and relevant reader meetingthe ISO14443 standard.

In the secure element 3 there is also the non-financial application unit16, that, in this example, is configured to operate as electroniccontactless key for door opening.

The flash memory 2 controller 17 is in the secured part of the memory 2and it manages data transfer between the mobile phone and the flashmemory 2 on the memory card 1. The flash memory 2 controller 17 unitsthe possibility of viewing the data or writing to the secured part ofthe memory 2 and also units the possibility to view the unprotected partof the memory 2 in which the system data unit (reading and writing ispermitted) is located.

The payment POS terminal application runs on the removable memory card 1that is inserted into the mobile communication device's slot 4 foradditional hardware. The payment POS terminal application is loaded intothe microcontroller 12 in the memory card 1 and subsequently theconfiguration data of the selected terminal's identity are loaded fromthe secure element 3. The selected payment card data are loaded from thesecure element 3 into the microcontroller 12 that operates as a paymentterminal. Which payment card data are loaded, depends on the user'schoice.

The boot-loader 9 runs a change control of the payment POS terminalapplication before the payment POS terminal application itself isstarted. The payment POS terminal application is managed using keyboardand display of the mobile communication device 4. The mobile phone has agraphical GUI interface (Graphic User Interface) that enablescommunication between the user, memory card 1 and HOST processor. Thereis also push SMS technology in the phone. The payment POS terminalapplication is an SD microcontroller application 12 that enables on-lineand off-line payments using the payment application on the microSDmemory card 1. The payment is realized as “Card is present”, whichhighly increases the security—the transaction is signed with thecryptogram and during each transaction the ATC counter increases by one,which means that it is not possible to generate unlimited number oftransactions in order to get some keys. The client manages the paymentPOS terminal application through a GUI application that is installed inhis own phone. In this example the payment POS terminal application,along with the microcontroller 12 forms a Generic POS terminal. In adifferent configuration, the Generic POS terminal can be formed ofpayment POS terminal application along with a computing element that isdirectly in the chip with the secure element. Subsequently, along withconfiguration parameters, they form EMBEDDED POS TERMINAL: Terminal_type1×=terminal that belongs to a financial institution, 2×=a terminal thatbelongs to a merchant, 3×=a terminal that belongs to the cardholder—Card holder terminal. The terminal's configuration data unit 6contains the ID number of the terminal, PDOL data (Processing OptionData Object List), Terminal Risk Management, off-line batch file format,SMS gate on the HOST, IP address on the HOST, code to sign off-linetransactions. The Payments can be off-line or on-line. The communicationwith the payment processor can be realized through SMS messages orthrough GPRS.

Example 3

A removable memory card 1, which contains only a minimal set necessaryfor the realization of payments is described in this example. Itsstructure is shown in the FIG. 4. This kind of removable memory card isdesigned only to be sold as a pre-paid payment card with pre-enteredamount of money and is intended e.g. to be sold to tourist coming from acountry with different currency. The removable memory card 1 contains aninterface 11 with contacts in accordance with the microSD specification.In the plastic body of the removable memory card 1 there are two SecureElements 31, 32. In the first Secure Element 31 there are configurationdata of the POS terminal generated by the pre-paid card system'soperator. In the second Secure Element 32 there are one-time paymentcard's data. Along with the removable memory card 1, the commercialpackage contains also a paper carrier with a scrap field, in which thereis a corresponding PIN code for the management of access to the paymentcard. The memory card 1 executes all the operations as a common POSterminal held by the merchant when connected to the paying customer'spayment card. The mobile phone's 4 facilities are used for displayingand communication.

Example 4

In this example the system is supplemented for the payment POSterminal's application initiator 22. It can be in the form of asingle-purpose device with the NFC communication element. In thisexample the initiator is connected to the output of the cash register,which will send information on the total required payment to the output.The initiator 22 creates a file which contains the payments value,information on the merchant's account and the request command. Theinitiator 22 sends this file to the mobile phone 4, which is applied toit, over the communication element 24. The reception of this file on thememory card 1 causes the launch of the payment POS terminal application.This solution enables to use the payment terminal in the mobile phone 4of the user for direct debit payments in normal stores that do not haveits own POS terminal.

Example 5

In this example as shown in the FIGS. 3, 7 and 8 there is a systemdescribed, where on the side of the merchant there is located the SalesDevice 28 in the form of one-purpose box, which has a numeric keyboard36, a display 37 and its own power source in the form of rechargeableaccumulator. The Sales Device 28 has a NFC communication element 35 withan antenna 21 under the surface of the upper cover, where the centre ofthe antenna 21 is on the outside of the cover graphically depicted withguiding symbol 40 of the target. In its hardware on the SAM card 42 theSales Device 28 encompasses a Secure Element 6 into which the POSpayment terminal 27 identification and also the Master Key for theencryption of the communicated data is loaded. In other version, thedata can be loaded directly in the protected memory on the SalesDevice's 28 printed circuit.

The merchant uses the Sales Device 28 in such a way that when selling heenters the amount he wants for his goods over the keyboard 36 to thedisplay 37. After checking the amount on the display 37 the merchantpresses the confirming button. After this act, the POS paymentterminal's 27 identification data is encrypted using Master Key and thisencryption data, along with the payment amount is sent into the NFCcommunication element 35 which sends the encrypted message over antenna41 and expects the mobile communication device 4 to be placed to theSales Device 28. In his mobile communication device 4 the customeractivates the launch of the payment application a he does that through aspecial hardware keyboard or over a software button. After the creationof the NFC communication channel, the encrypted data from the SalesDevice 28 are read and decrypted, the result of which is the POSterminal 27 identification data and the required payment amount.

This part of the transfer can be expressed also as

${{{3{{DES}\left\lbrack {{Mk}\left\{ {Cfg} \right\}} \right\rbrack}}\overset{\mspace{25mu} {NFC}\mspace{25mu}}{\rightarrow}{3{{DES}^{- 1}\left\lbrack {{Mk}\left\{ {Cfg} \right\}} \right\rbrack}}} = {Cfg}},$

where 3DES means encryption over Triple Data Encryption Algorithm, whereMk is Master Key supplied by the payment processor, where Cfg meansconfiguration data and NFC presents the transfer path between the SalesDevice and the removable memory card.

The paid amount can be verified by the customer on the display of hismobile communication device 4. The identification data from the SalesDevice 28 serve for the indifferent POS terminal 27 on the removablememory card 1 to become a specific POS payment terminal 27 for thebenefit of a given merchant.

This process can be expressed as

Cfg+Generic POS=ACgPOS,

where Generic POS present the identification of the indifferent, genericPOS and ACg POS is the POS of a corresponding merchant.

Subsequently the payment terminal application runs in the normal way,e.g. according to the EMV standard. According to preset risk managementof the payment card 7 and with respect to the height of the amount beingpaid, it might be requested to enter the password, PIN code, which isentered by the customer on the keyboard of its mobile communicationdevice 4. In this way high security is reached, since the paymentterminal application runs directly on the removable memory card 1, wherethere are stored also the payment cards' 7 units and the sensitive datado not leave the hardware of the connection between the Sales Device 28and the removable memory card 1. The result of the payment applicationis the creation of the payment cryptogram, which is sent into the SalesDevice 28 and also in the case of online payment is sent over theinterface 11 into the mobile communication device 4 and subsequentlyover the mobile network to the payment processor. The payment cryptogramcan be also created and sent according to the relationship:

${3{{DES}\left\lbrack {{Mk}\left\{ {Transaction} \right\}} \right\rbrack}}\overset{\mspace{25mu} {NFC}\mspace{25mu}}{\rightarrow}$

-   -   pertinently to the payment processor's side as

${3{{DES}\left\lbrack {{Mk}\left\{ {Transaction} \right\}} \right\rbrack}}\overset{\mspace{25mu} {GPRS}\mspace{25mu}}{\rightarrow}$

-   -   The removable memory card is in this case in the form of a        microSD card.

Example 6

In this example according to the FIG. 4, the Sales Device 28 is in theform of a device, which has a slot for the insertion of the ICC card 29with the reader of the corresponding format. The merchant can buy theSales Device 28 anywhere and this Sales Device 28 does not have its ownidentity. The merchant receives the ICC card 29 of the common parametersaccording to ISO 7810 85.60×53.98 mm from the bank or the paymentprocessor. The payment processor's Master Key and also the POSterminal's identification data for the assignment to a correspondingmerchant are loaded in the Secure Element on the chip of the ICC card.By inserting the ICC card 29 into the reader, the Sales Device 28according to our description is created. The Sales Device 28 containsalso the mini-B USB connector 39, over which it is possible to connectthe printer, computer and other output or input units in extendedconfiguration. The attendance and operation of the Sales Device 28 issimilar to the first case, however it is different by the fact thatafter realizing the change the merchant takes out his ICC card 29 andcan take it e.g. to the bank for the procession of the off-linepayments. It is not excluded also the procession of this kind of ICCcard 29 directly in the ATM machines. This solution has the advantagealso in the fact that the ICC card is easy to operate, is of practicalparameters and by its taking out of the Sales Device's 28 its theft fromthe business premises e.g. overnight and similar is prevented. The ICCcard 29 also offers the area for the subsequent operation and backup ofdata in the computer with a simple reader.

The advantage of the configuration according to this example is also thepossibility that one device with the reader, display 37 and keyboard 36can be used by several merchants working in shifts in one businesspremises, while the payments are processed for the benefit of thecorresponding merchant who has his ICC card 29 inserted in the reader atthe moment.

Example 7

Besides the elements mentioned in the previous examples, the SalesDevice 28 according to the FIG. 5 contains also the RS232 (RecommendedStandard 232) interface through which it can connect to the cashregistrar 26. In this example the Sales Device 28 is basically extensionto the existing cash registrar 26 of the merchant to the POS terminal 27while the payment terminal application runs again on the removablememory card 1, which is along with the mobile communication device 4held by the customer.

Over the cable connection 38 the result from the cash registrar 26 istransferred into the Sales Device 28, where it appears on the display 37and the merchant confirms it by a confirming button. Subsequently theprocess runs in the same way as if the paid amount was entered over theSales Device's 28 keyboard 36. In this connection it would not even benecessary for the Sales Device 28 to contain keyboard 36 for the entryof the paid amount, however from the usability of the Sales Device 28 invarious system, the keyboard 36 is part of the Sales Device 28 even inthis example.

Example 8

In this example according to the FIGS. 11 to 14, the system isdescribed, in which the removable memory card 1 is in the form ofmicroSD card. There are two Secure Elements 3 located on it in thisexample, where one Secure Element 3 is designed for the payment cardunit 7, or respectively for several payment card units 7 from differentissuers and the second Secure Element 3 contains the payment terminalunit 5. In other example the removable memory card 1 can contain onlyone payment card unit 7 without the payment terminal unit 5 beinglocalized.

The removable memory card 1 with a common flash memory 2 has theinterface 11 of the common microSD standard and is inserted into themobile communication device's 4 slot. It is a common slot designed forthe insertion of the extension memories.

In this example the NFC communication element 13 with antenna is 21 islocated on the removable memory card 1. The mobile communication device4 has a payment button 44 located next to the keyboard 45. The paymentbutton 44 is connected with microswitch on the mobile communicationdevice's 4. The specific realization of the microswitch is not importantand can be in different forms, e.g. as a membrane switch, capacityswitch and similar.

The payment button 44 is connected to the Firmware in such a way thatthe only acceptable order for the change of access mode of the removablememory card 1 can be from the contact of the payment button 44 at leastin case the mobile communication device 4 is equipped with this kind ofpayment button 44. In case, the same removable memory card 1 will beinserted into the slot of the mobile communication device 4 without thepurpose hardware payment button 44, the change of access mode will berealized over menu on the display 46 of the mobile communication device4. That being the case, the removable memory card 1 will be functionalin both access modes, however the entire connection with the mobilecommunication device 4 will have lower security of the payment.

In the mobile phone, which is equipped with the payment button 44, itwill not be possible to access Secure Element 3 on the removable memorycard by any other way then over the predefined firmware connected withthe payment button 44. In this example it will be the LGM application.

The two access modes can have the following characteristics:

access mode access mode extension of for payment function the memoryfunction read/write files YES YES NFC communication NO NO extendedaccess (SDIO . . .) YES/NO YES according to the phone access to the SEfrom the NO YES application in the phone file cashe memory in flashYES/NO NO according to the phone permanent powering of the YES/NO YEScard according to the phone

In the access mode of the payment function, the caching of the files onthe removable memory card 1 will be switched off, the access to theflash memory 2 and the access into the file system will be supported.

In case the mobile communication device 4 will be capable of supportinghigher communication interface, e.g. the SDIO standard (Secure DigitalInput Output), McEX, the corresponding interface can be accessible evenin the access mode of the payment function.

INDUSTRIAL APPLICABILITY

The industrial applicability is obvious. With this invention, it ispossible to industrially and repeatedly manufacture and use paymentterminals implemented into the memory cards, with one or also morepayment cards in one memory card. It is also possible to create and usethe POS payment terminals, which are created temporarily for the purposeof a specific payment by a connection of Sales Device and the mobilecommunication device. The necessary structures of the merchant's POSterminal are then created only after the connection with the removablememory card in the mobile communication device of the paying user isrealized.

According to this solution it is also possible to industrially andrepeatedly manufacture introduction of the hardware payment button inthe mobile communication device, where this button presents the selectorof the current access mode of the removable memory card.

LIST OF RELATED SYMBOLS

-   -   1—a memory card    -   2—a memory    -   3—a secure element    -   31—the POS terminal's Secure Element    -   32—the payment card's Secure Element    -   4—a mobile communication device    -   5—a payment POS terminal application    -   6—a terminal's configuration data unit    -   7—a payment card unit    -   8—an operating system unit    -   9—a boot-loader unit    -   10—an internal microcontroller memory    -   11—an interface    -   12—a microcontroller    -   13—a communication element    -   14—an encryption unit    -   15—a freely accessible user's data space    -   16—a non-financial application unit    -   17—a flash memory controller    -   18—a web server unit    -   19—a download management unit    -   20—a hidden data space    -   21—an antenna    -   22—an initiator    -   23—the payment receiver's computer    -   24—the initiator's communication element    -   25—the payment procession headquarters    -   26—cash register    -   27—POS payment terminal    -   28—Sales Device    -   29—ICC card    -   35—Sales Device communication element    -   36—keyboard    -   37—display    -   38—connection to the cash register    -   39—external connector    -   40—target symbol    -   41—Sales Device antenna    -   42—SAM card    -   43—temporary contactless connection    -   44—payment button    -   45—keyboard of the mobile communication device    -   46—display

1. A payment terminal using a mobile communication device, such as a mobile phone, where the payment terminal contains a memory, an interface (11) and microcontroller (12), while the microcontroller (12) is connected with the memory and the interface (11), the POS terminal also contains the unit (5) with the payment terminal application and it also contains even the unit (6) with the payment terminal's configuration data in the secured part of the memory (3, 31, 32), is characterised by the fact that the payment terminal, along with the payment terminal's corresponding configuration data is located on a removable memory card (1) which is adjusted in such a way so it can be inserted into an additional hardware slot which is used to add functionalities that surpass the basic functions of the mobile communication device (4), the removable memory card (1) contains a secured memory (3, 31) with the POS terminal's configuration data unit (6) and it also contains a secured memory (3, 32) with the payment card unit (7), where the payment card unit (7) is located separately from the POS terminal's configuration data, the secured memories (3, 31, 32) is linked to the microcontroller (12) and the microcontroller (12) is linked to the interface (11) for the connection to the mobile communication device's (4) circuits.
 2. A payment terminal as in the claim 1 is characterised by the fact that the secured memories for the payment terminal's configuration data unit (6) and for the payment card's unit (7) are created as independent domains of one Secure Element (3).
 3. The payment terminal as in the claim 1 is characterised by the fact that the secured memory for the storage of payment terminal's configuration data is formed by the Secure Element (31), which is hardware separate from the independent Secure Element (32) with the payment card's unit (7).
 4. A payment terminal as in any of the claims 1 to 3 is characterised by the fact that the memory card (1) is of the SD type or miniSD or microSD card or M2 and the interface (11) is of the SD type or M2 type.
 5. A payment terminal as in any of the claims 1 to 4 is characterised by the fact that the memory card (1) has at least two-conductor, preferably four-conductor data bus.
 6. A payment terminal as in any of the claims 1 to 5 is characterised by the fact that the memory card's (1) largest parameter is smaller than 24 mm and the second largest parameter is smaller than 14 mm.
 7. A payment terminal as in any of the claims 1 to 6 is characterised by the fact that the microcontroller (12) contains an undeletable internal memory (10), preferably of the EEPROM type, the microcontroller (12) also contains a boot-loader unit (9) for unauthorized interventions control in the loaded payment POS terminal application.
 8. A payment terminal as in any of the claims 1 to 7 is characterised by the fact that the memory card (1) is equipped with a contactless communication element (13) which is connected to the Secure Element (3, 31, 32) and/or to the microcontroller (12).
 9. A payment terminal as in the claim 8 is characterised by the fact that on the memory card (1) there is an antenna (21) that is connected to a contactless communication element (13).
 10. A payment terminal as in any of the claims 1 to 9 is characterised by the fact that in the secure element (3, 31) there are at least two units (6) with configuration data from different independent terminals.
 11. A payment terminal as in any of the claims 1 to 10 is characterised by the fact that in the secure element (3, 32) there are at least two units (7) holding independent payment cards with corresponding payment applications, preferably of the EMV standard.
 12. A payment terminal as in any of the claims 1 to 11 is characterised by the fact that the memory (2), preferably of flash type has at least one part of its space that is secured, in this secured area there will be the payment POS terminal application (5) stored.
 13. A payment terminal as in any of the claims 1 to 12 is characterised by the fact that in the memory (2) there is a memory controller unit (17), a download management unit (19) and preferably also a web server unit (18).
 14. A payment terminal as in any of the claims 1 to 13 is characterised by the fact that in the secure element (3, 31, 32) there is a non-financial application unit (16).
 15. A payment terminal as in any of the claims 8 to 14 is characterised by the fact that the contactless communication element (13) is of NFC type, meeting the ISO14443 standards.
 16. A payment terminal as in any of the claims 1 to 15 is characterised by the fact that the memory (2) has in its unprotected part a space (20) data hidden to the user and a space (15) for free access data of the user.
 17. A payment terminal as in any of the claims 1 to 16 is characterised by the fact that it also encompasses initiator (22) of the payment POS terminal application that is located in the store and it contains a unit generating the payment's value; the initiator (22) is equipped with the communication element (24), which is compatible with the communication element (13) on the removable memory card (1) or with the short-distance communication element of the mobile communication device (4).
 18. A payment terminal (27) using a mobile communication device (4), especially a mobile phone, in which the payment terminal (27) encompasses a unit (5) on the run of the payment terminal application, a secured memory with the POS terminal's identification data for matching the merchant and an interface, is characterised by the fact that the payment terminal (27) is formed by a temporary contactless connection (43) of the merchant's Sales Device (28) with the removable memory card (1) where the removable memory card (1) is inserted into the customer's slot of the mobile communication device (4) and Sales Device (28) contains a secured unit (6) with the POS terminal's identification data.
 19. The payment terminal (27) according to the claim 18 is characterised by the fact that the removable memory card (1) contains: unit (5) for the run of the payment terminal application, secured memory (3, 32) with at least one payment card unit (7), communication element (13) with the antenna (21) for the connection with the Sales Device (28), where the secured memories (3, 31, 32) are connected with the microcontroller (12) and the microcontroller (12) is connected with the interface (11) for the connection to the circuits of the mobile communication device (4) and where the Sales Device (28) contains: secure element (6) with POS terminal's identification data, encryption key, and a communication element (35) with antenna (41) for the connection with the removable memory card (1).
 20. A payment terminal (27) as in the claim 18 or 19 is characterised by the fact that the secure unit (6) with the POS terminal's identification data is located on the SAM card (42) which is inserted into the Sales Device (28).
 21. A payment terminal (27) as in the claim 18 or 19 is characterised by the fact that the secure unit (6) with the POS terminal's identification data is located on the ICC card (29) which is inserted into the Sales Device's (28) reader.
 22. A payment terminal (27) as in any of the claims 18 to 21 is characterised by the fact that the Sales Device (28) has a keyboard (36) for the insertion of the amount being paid and a display (37)
 23. A payment terminal (27) as in any of the claims 18 to 22 is characterised by the fact that the removable memory card (1) has two secure elements (31, 32) where the payment card secure element (32) contains several separate domains for the independent payment card units (7).
 24. A payment terminal (27) as in any of the claims 18 to 23 is characterised by the fact that the removable memory card (1) has a memory (2) for the unprotected data of the user.
 25. A payment terminal (27) as in any of the claims 18 to 24 is characterised by the fact that the Sales Device (28) has a connector (39) for the connection of external devices.
 26. A payment terminal (27) as in any of the claims 18 to 25 is characterised by the fact that the Sales Device (28) has a connection (38) to the cash registrar (26).
 27. A payment terminal as in any of the claims 1 to 26 is characterised by the fact that the removable memory card (1) has to access modes access mode for the function of the extension of the mobile communication's devices (4) memory capacity, which blocks the access to Secure Element (3) a to the contactless communication element (13) on the removable memory card (1), access mode for the payment function of the removable memory card (1) with allowed access to the Secure Element (3) with the payment card unit (7) and with the activation of the contactless communication element (13) on the removable memory card (1), where the access mode for the payment function of the removable memory card (1) is active only after physical press of the hardware payment button (44).
 28. A payment terminal as in any of the claims 1 to 27 is characterised by the fact that the unit (5) with the payment terminal is accessible exclusively in the access mode for the payment function of the removable memory card (1).
 29. A payment terminal as in any of the claims 1 to 28 is characterised by the fact that the software in the mobile communication device (4) blocks the possibility of emulation of the signal from the payment button (44) by other input.
 30. A method of a direct debit payment transaction that is using a mobile communication device, preferably a mobile phone and that runs payment POS terminal application, mainly of the EMV type is characterised by the fact that the payment POS terminal application runs on a removable memory card (1) that is inserted into the mobile communication device's (4) slot for additional hardware, while the communication with the payment card runs within the removable memory card's (1) circuits.
 31. A method of a direct debit payment transaction as in the claim 30 is characterised by the fact that the payment POS terminal application will be loaded into the microcontroller (12) located in the memory card (1), and subsequently the configuration data of the selected terminal's identity are loaded from the secure element (3, 31).
 32. A method of a direct debit payment transaction as in the claim 30 or 31 is characterised by the fact that the data about the selected payment card are loaded from the secure element (3, 32) into the microcontroller (12), which operates as a payment terminal.
 33. A method of a direct debit payment transaction as in any of the claims 30 to 32 is characterised by the fact that during or before the initiation of the POS terminal, the boot-loader unit (9) runs the change control in the payment POS terminal application.
 34. A method of a direct debit payment transaction as in any of the claims 30 to 33 is characterised by the fact that the payment POS terminal application is managed through an input device of the mobile communication device (4), mainly a keyboard.
 35. A method of a direct debit payment transaction as in any of the claims 30 to 34 is characterised by the fact that the data about the requested payment's amount are inserted into the payment POS terminal application from the separate initiator (22), which sends the data about the required payment, along with the initiation command, over contactless communication channel.
 36. A method of a direct debit payment transaction using a mobile communication device, such as a mobile phone is characterised by the fact that the payment terminal (27) is created before or during the payment process by a temporary connection of the merchant's Sales Device (28) with the removable memory card (1), which is held by the customer.
 37. A method of a direct debit payment as in the claim 36 is characterised by the fact that the POS terminal's identification data are loaded onto the removable memory card (1) from the Sales Device (28), preferably over encrypted transfer and subsequently the generic POS terminal on the removable memory card (1) becomes the POS terminal of the corresponding merchant.
 38. A method of a direct debit payment as in the claim 36 or 37 is characterised by the fact that the payment terminal application runs on the removable memory card, where the data from the unit (7) of the payment card according to the customer's choice, are used.
 39. A method of a direct debit payment as in any of the claims 36 to 38 is characterised by the fact that the after the payment cryptogram is created, it is sent into the Sales Device (28) where it is stored in the memory of the realized payments records.
 40. A method of a direct debit payment as in any of the claims 36 to 39 is characterised by the fact that the after the payment cryptogram is created, the payment cryptogram (4) is sent over the interface (11) and subsequently over the mobile communication device (4) into the payment processor centre (25).
 41. A method of a direct debit payment as in any of the claims 36 to 40 is characterised by the fact that the carrier with the realized payments records is offered to the bank or payment processor centre (25) for procession after it is taken out of the Sales Device (28).
 42. A method of a direct debit payment as in any of the claims 36 to 41 is characterised by the fact that the data about the payment value are inserted into to removable memory card from the Sales Device (28) by manual insertion over the keyboard (36) or over the connection (38) with the cash registrar (26).
 43. A method of a direct debit payment as in any of the claims 30 to 42 is characterised by the fact that the removable memory card (1) is in the access mode for the memory capacity extension function before the payment process is run, the payment card unit (7) is inaccessible from the interface's (11) side and exclusively after physical press of the payment hardware button (44) the removable memory card (1) switches into the access mode for the payment function of the removable memory card (1) with allowed access to the payment card unit (7).
 44. A method of a direct debit payment as in any of the claims 30 to 43 is characterised by the fact that the Secure Element (3) with the payment terminal unit (5) is accessible after the removable memory card (1) is switched into the access mode for the payment function.
 45. A method of a direct debit payment as in any of the claims 29 to 43 is characterised by the fact that after the payment process is ended and/or interrupted the removable memory card (1) is switched into the access mode for the function of extending the memory capacity of the mobile communication device (4). 